Assets Types & Categories

Primary Assets Category

Primary Assets Business Processes, Functions, Services

Primary Assets Information/ Data

Supporting Assets Category

Supporting Assets Hardware, devices and equipment

Supporting Assets Software and applications

Supporting Assets Personnel

Supporting Assets Location and Utilities

 Organisational infrastracture (Incuding
Supporting Assets
ICT services)
 RM Toolbox

Definition

Primary assets include all the core business

processes and functions as well as Services
provided to external parties, as well as the
Information and Data serving business
processes and/or activities of the organisation

Business Processes, Functions and Services

Information and Data in all forms (storage,

transmission etc) that is of value

Supporting assets include Hardware, devices

and equipment
software and applications, roles, locations and
utilities as well as the organisational
infrastructure (e.g. policies, procedures and
supporting ICT Services)
All physical elements/devices and equipment
supporting business processes, functions and
services

Software and applications

Personnel with roles involved in business
processes and functions, user support, software
development and maintenance, hardware
support, delivery of services and
information/data management

Premises containing / related to primary and

supporting assets
Roles, management & supporing activites and
ICT services
RM Toolbox

Subcategories/Examples

All core business processes and functions as well as services

provided by the organisation to external parties.

A set of information/ data which serves a specific business

process or activity of the organisation.
Computing Devices (e.g. end point devices, Servers etc),
Network Devices and Media, IoT Devices, OT Devices,
Telecommunication Devices, Peripherals, Storage devices,

System software (e.g. operating systems), Firmware,

Middleware, Package software, Business / end user
applications
Decision Makers, Users, Developers, Administrators,
Operators, Maintenance Personnel, Contractors

Locations and premises, such as buildings, rooms, offices

and containers. Moblile platforms such as trucks, cars, ships
etc. Essential services and utilities provided by external
operators/providers, power and water supply etc.
 Organisational infrastructure including roles, policies,
procedures, and ICT Services (telecommunications, network,
Cloud, hosting etc.)
Prominent Frameworks

1.ISO/IEC 27005:2018

Definition

Primary assets are usually the core processes and information of the activity in scope.
Other primary assets such as the organisation's processes can also be considered,
which are more appropriate for drawing up an information security policy or a business
continuity plan.

Business Processes that that are identified as sensitive .

Information that is identified as sensitive

Hardware comprises all the physical elements supporting processes.

Software consists of all the programmes contributing to the operation of a data

processing set.
All groups of people involved with the information system.

Sites comprises all the places containing the scope or part of the scope, and the
physical
means required for it to operate.
The organisation type describes the organisational framework, consisting of all the
personnel structures assigned to a task and the procedures controlling these
structures.

-
1.ISO/IEC 27005:2018

Subcategories/Examples

For example:
— processes whose loss or degradation make it impossible to carry out the mission of the
organisation;
— processes that contain secret processes or processes involving proprietary technology;
— processes that, if modified, can greatly affect the accomplishment of the organisation's
mission;
— processes that are necessary for the organisation to comply with the applicable
contractual, legal or regulatory requirements identified as per Clause 6;

Primary information mainly comprises:

— vital information for the exercise of the organisation's mission or business;
— personal information, as can be defined specifically in national laws regarding privacy;
— strategic information required for achieving objectives determined by the strategic
orientations;
— high-cost information whose gathering, storage, processing and transmission require a
long time and/or involve a high acquisition cost.

-
— Data processing equipment (active): Automatic information processing equipment
including the items required to operate independently.
— Transportable equipment: Portable computer equipment.
EXAMPLE Laptop computer, Personal Digital Assistant (PDA).
— Fixed equipment: Computer equipment used on the organisation's premises.
EXAMPLE Server, microcomputer used as a workstation.
— Processing peripherals: Equipment connected to a computer via a communication port
(serial, parallel link, etc.) for entering, conveying or transmitting data.
EXAMPLE Printer, removable disc drive.
— Data medium (passive): These are media for storing data or functions.
— Electronic medium: An information medium that can be connected to a computer or
computer network for data storage. Despite their compact size, these media can contain a
large amount of data. They can be used with standard computing equipment.
EXAMPLE Floppy disc, CD ROM, back-up cartridge, removable hard disc, memory key,
tape.
— Other media: Static, non-electronic media containing data.
EXAMPLE Paper, slide, transparency, documentation, fax.

— Operating system: This includes all the programmes of a computer making up the
operational base from which all the other programmes (services or applications) are run. It
includes a kernel and basic functions or services. Depending on the architecture, an
operating system may be monolithic or made up of a micro-kernel and a set of system
services. The main elements of the operating system are all the equipment management
services (CPU, memory, disc, and network interfaces), task or process management
services and user rights management services.
— Service, maintenance or administration software: Software characterized by the fact
that it complements the operating system services and is not directly at the service of the
users or applications (even though it is usually essential or even indispensable for the global
operation of the information system).
— Package software or standard software: Standard software or package software are
complete products commercialized as such (rather than one-off or specific developments)
with medium, release and maintenance. They provide services for users and applications,
but are not personalized or specific in the way that business applications are.
EXAMPLE Data base management software, electronic messaging software, groupware,
directory software, web server software, etc.
— Business application:
1. Standard business application: This is commercial software designed to give users
direct access to the services and functions they require from their information system in their
professional context. There is a very wide, theoretically limitless, range of fields.
EXAMPLE Accounts software, machine tool control software, customer care software,
personnel competency management software, administrative software, etc.
2.Specific business application: This is software in which various aspects (primarily
support, maintenance, upgrading, etc.) have been specifically developed to give users direct
access to the services and functions they require from their information system. There is a
very wide, theoretically unlimited, range of fields.
EXAMPLE Invoice management of telecom operators' customers, real time monitoring
application for rocket launching.
— Decision-maker: Decision-makers are the owners of the primary assets (information and
functions) and the managers of the organisation or specific project.
EXAMPLE Top management, project leader.
— Users: Users are the personnel who handle sensitive elements in the context of their
activity and who have a special responsibility in this respect. They can have special access
rights to the information system to carry out their everyday tasks.
EXAMPLE Human resources management, financial management, risk manager.
— Operation/maintenance staff: These are the personnel in charge of operating and
maintaining the information system. They have special access rights to the information
system to carry out their everyday tasks.
EXAMPLE System administrator, data administrator, back-up, Help Desk, application
deployment operator, security officers.
— Developers: Developers are in charge of developing the organisation's applications. They
have access to part of the information system with high-level rights but do not take any
action on the production data.
EXAMPLE Business application developers.

— Location:
— External environment: This concerns all locations in which the organisation's means of
security cannot be applied.
EXAMPLE Homes of the personnel, premises of another organisation, environment outside
the site (urban area, hazard area).
— Premises: This place is bounded by the organisation's perimeter directly in contact with
the outside. This can be a physical protective boundary obtained by creating physical
barriers or means of surveillance around buildings.
EXAMPLE Establishment, buildings.
— Zone: A zone is formed by a physical protective boundary forming partitions within the
organisation's premises. It is obtained by creating physical barriers around the organisation's
information processing infrastructures.
EXAMPLE Offices, reserved access zone, secure zone.
— Essential services: All the services required for the organisation's equipment to operate.
— Communication: Telecommunications services and equipment provided by an operator.
EXAMPLE Telephone line, PABX, internal telephone networks.
— Utilities:
— Services and means (sources and wiring) required for providing power to information
technology equipment and peripherals.
EXAMPLE Low-voltage power supply, inverter, electrical circuit head-end.
— Water supply
— Waste disposal
— Services and means (equipment, control) for cooling and purifying the air.
EXAMPLE Chilled water pipes, air-conditioners.
— Authorities: These are organisations from which the studied organisation derives its
authority. They can be legally affiliated or external. This imposes constraints on the studied
organisation in terms of regulations, decisions and actions.
EXAMPLE Administrating body, Head office of an organisation.
— Structure of the organisation: This consists of the various branches of the organisation,
including its cross-functional activities, under the control of its management.
EXAMPLE Human resources management, IT management, purchasing management,
business unit management, building safety service, fire service, audit management.
— Project or system organisation: This concerns the organisation set up for a specific project
or service.
EXAMPLE New application development project, information system migration project.
— Subcontractors/suppliers/manufacturers: These are organisations that provide the
organisation with a service or resources and bound to it by contract.
EXAMPLE Facilities management company, outsourcing company, consultancy companies.

-
 2.IT Security Risk Mana

Definition

Data Sets or Data (for short) managed by the Target System and the Functions provided by it.

Functions:
The processing of information comprises all functions of a CIS with regard to Data Sets, including creation
storage, transmission, deletion and archiving of information. Processing of information can be provided by
functionalities to users and as IT services to other CIS.

Data / Data Sets:

Means a set of information which serves a specific business process or activity of the Commission.
The processing of information comprises all functions of a CIS with regard to Data Sets, including creation
storage, transmission, deletion and archiving of information. Processing of information can be provided by
functionalities to users and as IT services to other CIS.

Asset used or involved in the processing of the Data and Functions provided by the
Target System. Hardware, software, personnel, locations and services are the main
supporting assets that build an IT System. Supporting Assets are also known as
Secondary Assets or IT Assets.
Physical elements part of the Target System used for the processing, transmission and storage of primary

Programmes and applications of the target system related to the processing, transmission and storage of p
People and roles that use the target system or are involved in the processing, transmission and storage of

Infrastructures, offices and other premises related to the geographical location of the hardware and softwa
-

A service is a means of delivering data processing (Data Sets and Functions) to customers, internally or ex
up of a combination of Information Technology products (hardware and software), people and locations. A
Supporting Asset of type “Service” which is itself made of a sub-set of Supporting Assets.
ogy v1.2

Subcategories/Examples

Generating the payroll, viewing a scorecard, processing an invoice, etc.

Examples of Data are user databases, payroll files, strategic plans, growth
forecasts, Commission or system documentation, contracts, user manuals,
training material, operational or support procedures, guidelines, documents
containing important results of the Commission’s business, continuity plans, or
fall-back arrangements.
1. End-point:
-Portable : Laptop, netbook, tablet, smartphone, smartcard, token,...
-Fixed:Desktop, workstation,...
2.Server: Multi-purpose Device (networked printer/copier/scanner with
storage),SAN,NAS,backup/storage robot,...
2.Network node:
-router, switch, bridge, gateway, hub, repeater, modem, Wifi Access Point
3.Network media:
-Wired:Copper cable, coaxial cable, twisted pair, optical fiber, …
-Wireless:Wifi, 801.11, Bluetooth, IR, Radio, satellite …
4.Data media:
-Digital:Hard-disk, floppy-disk, CD, DVD, USB device, tapes, cartridge, memory
card,
-Non-Digital:Paper, (micro)film, slides, …
5.Peripherals:Printing equipment, reader/writer equipment, scanning
equipment, keyboard, mouse, console, screen, …

1.Firmware: BIOS,...
2.Middleware:
-Web Browser
-Web Server:Tomcat
-Application Server:PHP server, net server mobile application server, J2EE,
WebSphere Application Server (WAS)
-DB Server
-Network Stack: Open SSL, TCP IP
-Operating Systems:Windows,Mac OS,Linux
-Hypervisor: Virtualization Layer
3.End-user Application/Module:N/A
.Normal Users, Priviledged users, Service providers, System suppliers

Areas, Buildings, Rooms (e.g. :Office, computer room), Physical Containers

(e.g. Box, cupboard, safe, rack), Mobile Platform (e.g. car, truck, bus, train,
plane, ship, etc.)
-

1.Data Center:
-Hosting:N/A
-Housing:N/A
2.Network services : Internet, LAN, MAN, WAN, Wifi, ADSL, X.25, ISDN, …
3.Cloud Services:
-IaaS (Infrastructure as a Service)
-SaaS (Software as a Service)
-PaaS (Platform as a Service)